-
August 12th, 2004, 01:01 AM
#1
IDS detection
How do you detect of some one is running an IDS?
-
August 12th, 2004, 01:12 AM
#2
Nmap their network and see if the cops show up at your door or your ISP cut's you off. Seriously, I don’t think that there is a reliably way to tell. It is a good question though.
-
August 12th, 2004, 01:16 AM
#3
Really... Unless you are inside his network in the first place he should have made it impossible for you to detect it. But then that might also depend upon the sysadmins choice of IDS and his rules. In Snort for example I can use the "react" keyword.... It sends an RST to one or both ends of the conversation when it alerts.... But that would tell you I'm watching you..... So I don't use "reacts".... I just log you, block you or otherwise defeat you or wait for you to make a mistake..... which, if your intentions for asking the question are dishonorable you will surely make if you need to ask the question in the first place...... nuff said?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 12th, 2004, 01:19 AM
#4
It depends on how the IDS is setup. Quite often today we see IDS, like Snort, run on "Stealth" ports. One way might be to look for a default administrative port that specific IDSes use. Alternatively, listening for packets that might be sent back and forth (assuming you have access to the network to do so).
Certainly it's not unusual to see an attacker attempt to "flood" what might be an IDS network/IP. IDS are vulnerable to having too much data.
I did take a look around because I have to admit I haven't looked into this issue specifically (although I suspected that many of the existing problems with firewalls would also fall over to IDSes). Take a look at this article. While not detailed on specifics it should give you some ideas.
I do suspect that with the advent of combos (firewall + IDS) it may be easier for attackers to detect them (finding fingerprints of these applications) and thus make it easier for attackers to break these down. I'm personally a big fan of layers of security (have a seperate box for an IDS, one for firewall, another for another firewall, etc.)
-
August 12th, 2004, 01:24 AM
#5
I would think that if the admins are looking at the IDS logs they will detect your probing for what IDS they have before you get a chance to use said information. Makes it somewhat pointless, either they are looking at their logs and see your probes for what IDS they use, or there aren’t paying attention to what their IDS reports so it does not matter anyway. Still, interesting to know about Snort and "reacts".
-
August 12th, 2004, 01:28 AM
#6
Then there's Stick and Snot that they'll use to try to flood your IDS by using it's own rules against it..... It might confuse the admin... It might drop the important packets.... But, oh, I forgot.... Snort has been hardened against such attacks since 1.8 or 9 I believe it was... Oh well.... another little avenue of pleasure cut off.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 12th, 2004, 05:07 PM
#7
Ok thank you for the information i was just wornding about idses and one more thing what kind of places usualy run idses.
-
August 12th, 2004, 05:18 PM
#8
Any places that have smart IT staff.
-
August 12th, 2004, 06:39 PM
#9
How you secure you assets, (specifically digital assets), is determined entirely by a risk assessment. The risk assessment places a "value" on your assets. From that value you determine the cost and the suitable tools you should use to defend those assets.
Thus, if your risk assessment indicates that it would be of value to protect the assets an IDS is a very useful tool when you consider that, for the largest part, nothing is secure.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 12th, 2004, 09:15 PM
#10
for the largest part, nothing is secure
Especially when your security admins are away on vacation/holidays...
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|